Files
Mingli Yu 5a8d5924a2 meta-efi-secure-boot: check efi-secure-boot DISTRO_FEATURES
Fix the below yocto compliance issue:
  INFO: ======================================================================
  INFO: FAIL: test_signatures (common.CommonCheckLayer)
  INFO: ----------------------------------------------------------------------
  INFO: Traceback (most recent call last):
   File "/build/layers/oe-core/scripts/lib/checklayer/cases/common.py", line 81, in test_signatures
    self.fail('Adding layer %s changed signatures.\n%s' % (self.tc.layer['name'], msg))
AssertionError: Adding layer meta-efi-secure-boot changed signatures.
17 signatures changed, initial differences (first hash before, second after):
   ovmf-native:do_configure: 98621d634860b524863c76c61a3b48d7aa4080bbe87b02a848ae6574ca349b5e -> 51b7ed0cd68914fe2a74e7db489ee0251fde1feab3ff4826e6df8a8be6f710bc
      bitbake-diffsigs --task ovmf-native do_configure --signature 98621d634860b524863c76c61a3b48d7aa4080bbe87b02a848ae6574ca349b5e 51b7ed0cd68914fe2a74e7db489ee0251fde1feab3ff4826e6df8a8be6f710bc
      NOTE: Starting bitbake server...
      basehash changed from 8b274e0d376c63104cbbcc0004a3758f2673d9e7f959854a0ffaa82ea04a9653 to d53127a75e96264ab92cffc956f93864435d48d1a0bf22899b35f78f1daf3bb3
      Variable PACKAGECONFIG value changed:
      @@ -1,3 +1,3 @@
      - ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'tpm', '', d)} ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'tpm', '', d)}
      + ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'tpm', '', d)} ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'tpm', '', d)} secureboot
       MACHINE_FEATURES{tpm} = Unset
       MACHINE_FEATURES{tpm2} = Unset

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
2022-12-06 09:16:14 +08:00

99 lines
3.0 KiB
BlitzBasic

SUMMARY = "The bootloader capable of authenticating the PE and non-PE files."
DESCRIPTION = "The SELoader is designed to authenticate the non-PE files, \
such as grub configuration, initrd, grub modules, which cannot be verified \
by the MOK Verify Protocol registered by shim loader. \
\
In order to conveniently authenticate the PE file with gBS->LoadImage() \
and gBS->StartImage(), the SELoader hooks EFI Security2 Architectural \
Protocol and employs MOK Verify Protocol to verify the PE file. If only \
UEFI Secure Boot is enabled, the SELoader just simplily calls \
gBS->LoadImage() and gBS->StartImage() to allow BIOS to verify PE file. \
\
The SELoader publishes MOK2 Verify Protocol which provides a flexible \
interface to allow the bootloader to verify the file, file buffer or \
memory buffer without knowing the file format. \
"
AUTHOR = "Jia Zhang"
HOMEPAGE = "https://github.com/jiazhang0/SELoader"
SECTION = "bootloaders"
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=d9bf404642f21afb4ad89f95d7bc91ee"
DEPENDS += "\
gnu-efi sbsigntool-native openssl-native ovmf \
"
PV = "0.4.6+git${SRCPV}"
SRC_URI = "\
git://github.com/jiazhang0/SELoader.git;branch=master;protocol=https \
"
SRCREV = "8b90f76a8df51d9020e67824026556434f407086"
S = "${WORKDIR}/git"
COMPATIBLE_HOST = '(i.86|x86_64).*-linux'
PARALLEL_MAKE = ""
inherit deploy user-key-store
EXTRA_OEMAKE = "\
CROSS_COMPILE="${TARGET_PREFIX}" \
SBSIGN=${STAGING_BINDIR_NATIVE}/sbsign \
gnuefi_libdir=${STAGING_LIBDIR} \
LIB_GCC="`${CC} -print-libgcc-file-name`" \
"
EFI_ARCH:x86 = "ia32"
EFI_ARCH:x86-64 = "x64"
EFI_TARGET = "/boot/efi/EFI/BOOT"
python do_sign() {
sb_sign(d.expand('${B}/Src/Efi/SELoader.efi'), \
d.expand('${B}/Src/Efi/SELoader.efi.signed'), d)
}
addtask sign after do_compile before do_install
do_sign[prefuncs] += "check_deploy_keys"
do_install() {
install -d ${D}${EFI_TARGET}
oe_runmake install EFI_DESTDIR=${D}${EFI_TARGET}
# Remove precompiled files, now provided by OVMF
rm -f ${D}${EFI_TARGET}/Hash2DxeCrypto.efi
rm -f ${D}${EFI_TARGET}/Pkcs7VerifyDxe.efi
if [ x"${UEFI_SB}" = x"1" ]; then
if [ x"${MOK_SB}" != x"1" ]; then
mv "${D}${EFI_TARGET}/SELoader${EFI_ARCH}.efi" \
"${D}${EFI_TARGET}/boot${EFI_ARCH}.efi"
fi
fi
}
do_deploy() {
# Deploy the unsigned images for manual signing
install -d "${DEPLOYDIR}/efi-unsigned"
install -m 0600 "${B}/Src/Efi/SELoader.efi" \
"${DEPLOYDIR}/efi-unsigned/SELoader${EFI_ARCH}.efi"
# Deploy the signed images
if [ x"${UEFI_SB}" = x"1" -a x"${MOK_SB}" != x"1" ]; then
SEL_NAME=boot
else
SEL_NAME=SELoader
fi
install -m 0600 "${D}${EFI_TARGET}/${SEL_NAME}${EFI_ARCH}.efi" \
"${DEPLOYDIR}/${SEL_NAME}${EFI_ARCH}.efi"
}
addtask deploy after do_install before do_build
RDEPENDS:${PN} += "${@bb.utils.contains('DISTRO_FEATURES', 'efi-secure-boot', 'ovmf-pkcs7-efi', '', d)}"
FILES:${PN} += "${EFI_TARGET}"
SSTATE_ALLOW_OVERLAP_FILES += "${DEPLOY_DIR_IMAGE}/efi-unsigned"